httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Weiser <mich...@weiser.dinsnail.net>
Subject Re: [users@httpd] SNI with apache 2.4.1 reverse proxy
Date Tue, 10 Apr 2012 08:01:11 GMT
Hi Igor,
Hi Daniel,

On Mon, Apr 09, 2012 at 08:56:12AM -0000, Igor Gali? wrote:

> > Then it looks like mod_proxy_http determines the value for
> > "proxy-request-hostname" from the remote URL in ProxyPass, but is
> > passing on the Host header from the original request.
> That would imply ProxyPreserveHost on -- which is off by default
> I also don't see it in Micha's paste.

Uh, I am very sorry to have wasted your time, but I actually do have

ProxyPreserveHost On

in my config. It was inbetween some comments and I must have removed it
together with them. I have checked and it seems to be the only 
statement missing from my mail.

I have it in there because wordpress has a feature of automatically
using the host name from the request in all links in the HTML it
generates. Unfortunately, it insists on creating absolute instead of
relative links. This is also why I access wordpress inside the VM via
HTTPS at all: This way it automatically (or at least with only a
very small patch to it's config.php) generates https:// links in its
responses when accessed via HTTPS, making the reverse proxy very simple
(apart from the SSL bit) and almost transparent.

At first I tried to configure the reverse proxy to plain http:// (SSL
termination, so to speak) and rewrite all links using mod_proxy_html for
performance and because it seemed the straightforward thing to do. But I
had various detail problems within wordpress I couldn't solve (with
links to uploaded files for example). So I switched to just passing on
the original requests as unchanged as possible.

As for the SNI bit: So I tell the reverse proxy to access
https://www.example.com:12433/ but pass on the Host header unchanged.
The wordpress VM's apache 2.2.14 gets upset with this discrepancy and
denies to serve the requests. As I perhaps poorly explained in the
second part of my mail, I tried to tell the reverse proxy to access
https://<Host-header>:12443/ instead but couldn't make it work.

A solution might be something like:

ProxyPass / https://www.example.com:12443/ no-sni
ProxyPassReverse / https://www.example.com:12443/ no-sni

, disabling SNI towards the backend server.

Or can I tell the 2.2.14 apache inside the VM to ignore the SNI data it
sees in the requests?

The best solution I can think of would be some switch like

ProxyPass / https://www.example.com:12443/ pass-host-as-sni
ProxyPassReverse / https://www.example.com:12443/ pass-host-as-sni

that makes mod_ssl put the content of the host header into the sni data
structures instead of the hostname from the URL used in the
ProxyPass(Reverse) configuration itself. This way even name-based
virtual hosts should work behind the reverse proxy.
-- 
Thanks for your patience,
Micha

Mime
View raw message